The most prolific cyber security attack the world has ever seen in the form of the WannaCry ransomware attack occurred just last week. The hardest hit victims were none other than our already overstretched and under-resourced, bastion of a Great Britain - the NHS.

Here at Redcello, we're not keen to jump on any bandwagons but we feel the need to spark a conversation - not about the attack itself, but the vulnerabilities that any enterprise can have in continuing to use unsupported legacy systems and question how responsible is it for organisations to continue to do so?

How this impacts on daily life

We have seen the effects of the recent WannaCry attack on the NHS and the impacts of its patients - cancelled operations, whole departments unable to function as well as the many other organisations including FedEx and Renault reporting interference in their services.
How far can legacy infrastructure interfere with daily life? Well, you have the usual facets - slower system performance and poor end-user experiences are usually the front line effects; however, the impact is further reaching than that.

The impact has undoubtedly hindered the NHS in delivering a level of service to its patients for several days as, well as the overriding cost of lost productivity through the many organisations who were affected. From another angle, legacy systems stunt IT departments and prevent them from learning new technologies and developing much-needed future-proofed IT skills, leading to time wastage maintaining older infrastructure.

Why is this still happening?

It is clear that many organisations were aware of the issues and were duly warned - just take this article from Information Age written back in March this year by Nick Ismail - where he claims that the healthcare sector accounted for the highest number of cyber attacks since records began.

There are a number of reasons why so many institutions have continued to use old OS, hardware, and legacy applications. Firstly, cost is usually a factor - both time and money. A widespread update of software and infrastructure systems wreaking havoc with an organisation's delivery of services is probably not on a list of today's to-dos, interference with income producing activities or hindering your provisioning processes may seem quite the nefarious scenario. However, what we must also consider is the high level of maintenance that legacy infrastructures can warrant, therefore is it really cost effective to keep plodding along with the same old systems?

Secondly, many organisations have a culture of "if it's not broke…" Let's not forget the types of dependencies that these legacy systems have. Updating one system can immediately make others incompatible, causing disruption across organisations. The fear of pulling out the wrong Jenga piece for the whole game to come crashing down springs to mind as an analogy.

Thirdly, in enterprises, IT isn't always seen as a top priority or considered as a driver to overall business objectives and this should change. Technology is something that should be harnessed to provide better services and assist business practice on all levels.

What's the strategy?

Assess what your business is ACTUALLY using in terms of its applications and what value they really have to your business. This article from Computerworld advises that business analysis should play a key role in identifying the need and keeping to the overall business objectives. John Brandon kindly gives us four different scenarios in this piece (Source)
Update infrastructures, Softwares and applications piecemeal if a rip and replace seems too risky

Macro level IT Reforms - Should we now be creating policies and frameworks that ensure governance over when IT systems are reviewed, audited and upgraded? These policies should be written both internally and be regulated at a state level.

Overall and in conclusion, there should be more accountability and responsibility by organisations, particularly those in the public or healthcare sectors to ensure up to date, secure infrastructures and systems are in place to protect not only the data of those it serves, but also ensure that they can continue to deliver services without interruption.